GHSA-gq7g-vg2q-jvq3
Apache Syncope has an Improper Isolation or Compartmentalization vulnerability
Details
Improper Isolation or Compartmentalization vulnerability in Apache Syncope.
An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer.
This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.
Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox.
Are you affected?
Enter the version of the package you're using.
Affected packages
3.0.0-M0 No fixed version published yet for org.apache.syncope.core:syncope-core-spring (maven). Pin to a known-safe version or switch to an alternative.
4.0.0-M0 Fixed in: 4.0.6 # pom.xml: bump <version>4.0.6</version> for org.apache.syncope.core:syncope-core-spring 4.1.0-M0 Fixed in: 4.1.1 # pom.xml: bump <version>4.1.1</version> for org.apache.syncope.core:syncope-core-spring